4.3.4. Network Segmentation and Traffic Protection
First Principle: Network segmentation limits blast radius by isolating resources into zones where each zone has independent access controls. When segmentation is properly implemented, compromising one zone doesn't give the attacker access to other zones.
Traffic Direction Terminology:
- North-South traffic: Traffic entering or leaving your VPC (internet ↔ VPC). Protected by edge controls, NAT Gateways, VPC endpoints.
- East-West traffic: Traffic between resources within your VPC or between VPCs. Protected by security groups, NACLs, Network Firewall.
Segmentation Strategies:
| Strategy | Implementation | Best For |
|---|---|---|
| Subnet isolation | Separate public, private, and data subnets | Tier separation (web/app/data) |
| VPC isolation | Separate VPCs per workload or environment | Environment separation (dev/staging/prod) |
| Account isolation | Separate AWS accounts per function | Organizational boundary (security/app/data) |
| Transit Gateway segmentation | Route table associations control inter-VPC traffic | Multi-VPC architectures |
Isolated Subnets:
Private subnets with no route to the internet (no NAT Gateway, no Internet Gateway) provide the strongest isolation for sensitive resources like databases. Resources communicate only through VPC endpoints or private VPC peering.
⚠️ Exam Trap: A "private subnet" with a NAT Gateway still has outbound internet access. A truly isolated subnet has no route to 0.0.0.0/0 in its route table. Know the distinction — the exam tests it.
Scenario: A healthcare application requires PCI DSS compliance. You segment the architecture: public subnet for the ALB, private subnet for application servers (NAT Gateway for outbound updates), and isolated subnet for the RDS database (no internet route, accessible only from app subnet via security groups).
Reflection Question: Why does effective segmentation require layering account isolation, VPC isolation, subnet isolation, and security group isolation rather than relying on one layer?
